From IP ID to device ID and KASLR bypass

Amit Klein, Benny Pinkas

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

20 Scopus citations

Abstract

IP headers include a 16-bit ID field. Our work examines the generation of this field in Windows (versions 8 and higher), Linux and Android, and shows that the IP ID field enables remote servers to assign a unique ID to each device and thus be able to identify subsequent transmissions sent from that device. This identification works across all browsers and over network changes. In modern Linux and Android versions, this field leaks a kernel address, thus we also break KASLR. Our work includes reverse-engineering of the Windows IP ID generation code, and a cryptanalysis of this code and of the Linux kernel IP ID generation code. It provides practical techniques to partially extract the key used by each of these algorithms, overcoming different implementation issues, and observing that this key can identify individual devices. We deployed a demo (for Windows) showing that key extraction and machine fingerprinting works in the wild, and tested it from networks around the world.

Original languageEnglish
Title of host publicationProceedings of the 28th USENIX Security Symposium
PublisherUSENIX Association
Pages1063-1080
Number of pages18
ISBN (Electronic)9781939133069
StatePublished - 2019
Externally publishedYes
Event28th USENIX Security Symposium - Santa Clara, United States
Duration: 14 Aug 201916 Aug 2019

Publication series

NameProceedings of the 28th USENIX Security Symposium

Conference

Conference28th USENIX Security Symposium
Country/TerritoryUnited States
CitySanta Clara
Period14/08/1916/08/19

Bibliographical note

Publisher Copyright:
© 2019 by The USENIX Association. All rights reserved.

Fingerprint

Dive into the research topics of 'From IP ID to device ID and KASLR bypass'. Together they form a unique fingerprint.

Cite this